How to secure GitLab when being exposed to the internet while having runners inside the company network?


when running GitLab as a hosted instance, accessible from the Internet and having GitLab Runners run on a Kubernetes cluster inside the company network, how to protect it against attacks?

Since anybody with an account can create and change files in repos, they could run any Docker image they want and do whatever they want in the company network.

How to secure against that? Especially in those “DevOps” times when everybody wants to directly deploy to production?